1 / 41

Automated Extraction of Inductive Invariants to Aid Model Checking

Automated Extraction of Inductive Invariants to Aid Model Checking. Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007. Motivation. Want to build the fastest unbounded model checker

berke
Télécharger la présentation

Automated Extraction of Inductive Invariants to Aid Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007

  2. Motivation • Want to build the fastest unbounded model checker • Can get significant speedup from knowledge of a few local properties (inductive invariants) • Want to find and prove inductive invariants • Not all invariants are useful for model checking • In previous work, we have a way to quickly prove many local properties • Can these be limited to properties that are useful for verification? • Is there an easy way to incorporate this information into a model checker? Mike Case, DES Seminar

  3. Approximate Reachable States Sequential Synthesis Interpolation Better Verification Graph Theory Sequential Simulation Finding Inductive Invariants Synthesis Verification • Quickly find and prove small properties • Approximation to reachability • EECS 290a, IWLS ’06 • Known-unreachable states are sequential don’t-cares • IWLS ’06 • Upcoming IBM Internship • EECS 219C • Build reachability approximation • Interpolation explores a smaller state space • EECS 219C • Efficiently store candidate properties • IWLS ’06, WG ’06, WG ’07 • Quickly refute candidate properties • Under investigation • Only help where reachability info needed most • Motivated by work at Calypto • IWLS ’07 Mike Case, DES Seminar

  4. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  5. I Approximating the Reachable States • Prove local properties hold  reachable states • Conjunction gives reachability approximation Mike Case, DES Seminar

  6. Quickly Proving Local Properties • Use simple induction to prove the properties • “Sequential Equivalence Checking without State Space Traversal,” van Eijk, DATE ‘98 • Biggest obstacle is an overly large set of candidate properties • Candidates discovered through random simulation, but inadequate for large designs • Candidates are Boolean implications • Lots of expressive power • Can minimize the number of implications under test by applying a reduction technique on the implication graph • Can also window the candidate set to only prove small subsets at a time • Can hurt results because sometimes we need multiple implications to be proved in parallel Mike Case, DES Seminar

  7. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  8. Motivation for interpolation • Desire to experiment with a state-of-the-art model checker • Chose interpolation because it is complete and fast • “Interpolation and SAT-Based Model Checking,” McMillan, CAV ’03 • “An Analysis of SAT-based Model Checking Techniques in an Industrial Environment,” Amla, CHARME ‘05 Mike Case, DES Seminar

  9. 2 Image 1 Image B I Reachability-Based Verification frontier := initial states Bad state reached? sat unsat frontier += image(frontier) Fixed Point? no Property Falsified yes Property Verified Mike Case, DES Seminar

  10. 2 Image 1 Image B B I I S Image 2 Image 1 Interpolation Initialize approximation parameters Reachability: Tighten approximation parameters frontier := initial states Bad state reached? sat Interpolation: unsat frontier += approxImage(frontier) Cex reached on a BMC from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, DES Seminar

  11. Problems With Interpolation • Can explore unreachable states • No control over the approximate image and can contain unreachable states • If an unreachable state enters start, many other unreachables will follow • Can lead to an unreachable bad state being explored • Requires frequent model refinements • Refining the approximation parameters and restarting is the most expensive operation • Discards all prior work Mike Case, DES Seminar

  12. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  13. Enhanced Interpolation • Interpolation may explore unreachable states • Approximate reachable states to help bound number of interpolation iterations Quickly approximate reachable states Interpolate Property Verified Property Falsified Mike Case, DES Seminar

  14. Key Observations From Experimental Results • Preprocessing imposes a runtime penalty • Can be minimized by resource thresholding • Need to give it sufficient time to prove properties • Ignoring overhead… • Faster in 92% of designs, can solve 4% that previously timed out • Slower in 4% of the benchmarks • Not all invariants help the model checker • Adding a constraint to a SAT solver might slow it down • We can do better! Mike Case, DES Seminar

  15. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  16. Image Image B I S A Better Way to Enhance Interpolation • Abstraction refinement most expensive • Show either S or B unreachable • No other constraints matter • Suppose we had a tool to find invariants to do this 2 1 Mike Case, DES Seminar

  17. Targetted Invariant Tool • Given a state S that we want to prove unreachable • Find {P} such that • Implies that S is unreachable • Can be proved with simple induction Mike Case, DES Seminar

  18. Initialize approximation parameters Tighten approximation parameters no frontier := initial states Can we find invariants? yes Bad state reached? sat unsat frontier += approxImage(frontier) Cex reached on a BMC from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, DES Seminar

  19. Another Application • We’ve helped interpolation • Short-circuited expensive refinement • Can we help other applications? • Consider simple induction • Technique used to prove properties • Is often incomplete. Can we fix this? Mike Case, DES Seminar

  20. Simple Induction Can Also Be Helped Obtain a set of candidate properties Remove violated candidates Base Case Is there a way to violate the base case? Do all properties hold in all initial states? yes no Inductive Step Remove violated candidates Is there a way to violate the inductive step? For all states where the properties hold, do they hold in all next states also? yes no “Sequential Equivalence Checking without State Space Traversal,” van Eijk, DATE ‘98 Remaining candidates hold  reachable states Mike Case, DES Seminar

  21. S XS p ¬p p Enhancing Simple Induction • Simple induction is fast, but often fails to prove properties that are true • If can show that S or XS unreachable, then this structure can’t disrupt the proof Mike Case, DES Seminar

  22. Can we find invariants? yes no Remove violated candidates Proving Properties by Induction Obtain a set of candidate properties Remove violated candidates Is there a way to violate the base case? yes no Remove violated candidates Is there a way to violate the inductive step? yes yes … with possibly reachable counterexample states no Remaining candidates hold  reachable states Mike Case, DES Seminar

  23. Proving That A State Is Unreachable • Multiple areas could benefit from a tool that could prove 1 state unreachable • Interpolation • Simple Induction • Previous work proves a large set of states unreachable • Proves many small properties • Can we limit the properties to target states of interest? Mike Case, DES Seminar

  24. S S { { P P } } The Proof Graph • Every property in the set is violated in S • Proving any such property implies that S is unreachable • {P} are how we will prove S unreachable (a set of properties) (a state) (a set of properties) (a state) • S is the reason the inductive proof of the properties does not succeed • S is the counterexample in the inductive step of the proof • Proving S unreachable is a necessary condition for proving any property in the set • S is why we can’t prove {P} Mike Case, DES Seminar

  25. S 0 { P } { P } { P } 0 0 0 1 3 S S 2 3 { P } { P } 2 3 S 1 { P } 1 Proof Graph Example • Input S0 • Find properties violated in S0 • Prove {P0} • Cover the new states with properties • Prove {P3} • Prove {P03} 2 Mike Case, DES Seminar

  26. Proof Graph Notes • Proof of a property set implies that all parent states are unreachable • Proof attempt on leaves only • Leaves can be proved independently • Select shallowest leaf for next proof Mike Case, DES Seminar

  27. S 0 { P } 0 S 1 { P } È { P } = { P } { P } 1 2 0 1 Special Case: Cycles • If a cycle develops… • Cannot prove either property set independently • Might be able to prove them together • Successful proof implies both states unreachable Mike Case, DES Seminar

  28. Initialize approximation parameters Tighten approximation parameters no frontier := initial states Can we find invariants? yes Bad state reached? sat unsat frontier += approxImage(frontier) Cex reached on a BMC from the initial state? no Fixed Point? no yes Property Falsified yes Property Verified Mike Case, DES Seminar

  29. Interpolation Results • Solves some problems that previously timed out • Needs work Mike Case, DES Seminar

  30. Notes on Performance • What is “good performance” for a verification tool? • Only meaningful statistics are time, memory, and whether or not verification completed • Industry very concerned with completion on a large set of problems • Slower on average is ok, if we complete on most benchmarks • We verify a few designs that previously timed out, but not enough • Lack a powerful simulator • Lots of false properties in the candidate set • This is a work in progress Mike Case, DES Seminar

  31. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  32. Simulation Motivation • Safety property in S420 • “Small” design • Timeout for me • 50% of candidates remain after 10 minute sim • Initial candidate set is quite poor • Can we refine it in 30 seconds? Mike Case, DES Seminar

  33. Future Work • Continue improving my implementation • Refine candidates with more/better simulation • Try other property domains – maybe implications are the wrong choice • Apply my tool in other applications • Could synthesis benefit from knowing that 1 interesting state is unreachable? • Can another state of the art model checker (UCSB) be fitted to use my tool? Mike Case, DES Seminar

  34. Questions? Mike Case, DES Seminar

  35. Backup Mike Case, DES Seminar

  36. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  37. Sequential Synthesis • Over-approximate reachable states • Under-approximate unreachables • Safe to use as sequential don’t cares • Sequential don’t cares from 2 minutes of pre-processing give same synthesis results as exact seqdc set Mike Case, DES Seminar

  38. Synthesis Verification Outline Approximate Reachable States Interpolation Sequential Synthesis Better Verification Sequential Simulation Graph Theory Finding Inductive Invariants Mike Case, DES Seminar

  39. Why Graph Theory • motivation Mike Case, DES Seminar

  40. Minimum Equivalent Graph A D C B F E G Mike Case, DES Seminar

  41. Many parallel random walks • Identify “interesting” states • Re-start random walk from each interesting state • Alan Mishchenko • BMC from the interesting states • Jason Baumgartner, IBM Sequential Simulation Mike Case, DES Seminar

More Related